This update supports a new PKCS#11 attribute CKA_NSS_MOZILLA_CA_POLICY. The attribute has been defined by NSS version 3.30. The attribute is expected to be set to true for CA certificates that have been added as part of the Mozilla CA Policy process.

The enhancement is required for compatibility with the future Firefox 54 release, which will query this attribute when accessing root CA certificates from the loaded CA trust module. On Fedora, Firefox is configured to access the p11-kit-trust module, instead of the NSS CA trust module nssckbi. This change to the ca-certificates package will make the attribute available to p11-kit-trust and Firefox.

Support for this new attribute requires p11-kit-trust version and build 0.23.2-3, which contains the relevant backported functionality from upstream version 0.23.5.

To enable the addition of this attribute, the ca-certificates package has been changed to use p11-kit-trust's flexible p11-kit-object-v1 file format for the internal packaging of the CA certificates list.

The update-ca-trust command has been changed to add comments to extracted PEM format files.

The changes in this package version shouldn't affect any existing functionality or trust.

How to install

sudo dnf upgrade --advisory=FEDORA-2017-a11057f70e

This update has been submitted for testing by kengert.

3 years ago

kengert edited this update.

3 years ago
User Icon hreindl commented & provided feedback 3 years ago
karma

works for me the whole day (firefox, thunderbird....)

This update has been pushed to testing.

3 years ago
User Icon bojan commented & provided feedback 3 years ago
karma

Works here on x86_64.

User Icon cserpentis commented & provided feedback 3 years ago
karma

works for me

User Icon alciregi provided feedback 3 years ago
karma
User Icon filiperosset commented & provided feedback 3 years ago
karma

no regressions noted

User Icon yuwata commented & provided feedback 3 years ago
karma

works for me

User Icon lupinix commented & provided feedback 3 years ago
karma

LGTM

User Icon renault commented & provided feedback 3 years ago
karma

No regressions here

User Icon wdpypere commented & provided feedback 3 years ago
karma

works for me

User Icon kparal commented & provided feedback 3 years ago
karma

https in firefox works fine

This update has been submitted for stable by kengert.

3 years ago

This update has been unpushed.

This update has been submitted for stable by kengert.

3 years ago

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
enhancement
Karma
10
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago
modified
3 years ago
BZ#1418739 ca-certificates must set the nss-mozilla-ca-policy pkcs#11 attribute for Mozilla CAs
0
0
BZ#1418741 Change the CA + trust input format given from ca-certificates to p11-kit-trust
0
0

Automated Test Results